IPSEC Tunnel between PIX and Symantec 200R

Torb3n · ‎03-05-2003

Hi.

Is there anybody You knows how to create an IPSEC tunnel between a PIX firewall and a Symantec 200R firewall.

I know how to configure the PIX, but can't figure out the Symantec 200R firewall!

It's working fine PIX-to-PIX!

The Symantec is configure like this:

--- IPSec Secur--- IPSec Security Assiciation ---

Phase 1 Negotiation: Main mode

Encryption and Authentification Method: ESP DES SHA1

SA Lifetime: 86400 minutes

Data volume limit: 0

Inactivity Timeout: 0

Perfect forward security: Disabled

--- Local Security Gateway ---

ID Type: IP Address

Phase 1 ID: 192.168.0.1

--- Remote Security Gateway ---

Gateway address: (outside ip address of PIX Firewall)

ID Type: IP Address

Phase 1 ID: (outside ip address of PIX Firewall)

Pre shared key: ****

--- For Gateway-to-gateway tunnels --

NetBIOS Broadcast: Disabled

Global tunnel: Disabled

Remote Subnet 1 IP 10.0.0.0 255.255.0.0

The PIX Firewall is configured like this:

access-list outside_cryptomap permit ip 10.0.0.0 255.255.0.0 192.168.0.0 255.255.255.0

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto map outside_map 10 ipsec-isakmp

crypto map outside_map 10 match address outside_cryptomap

crypto map outside_map 10 set peer (outside ip address of Symantec 200R firewall)

crypto map outside_map 10 set transform-set ESP-DES-SHA

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address (outside ip address of Symantec) netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

From the log of the Symantec:

[03/04/2003 08:56:17.61] (name of PIX) - Initiating IKE Main Mode

[03/04/2003 08:56:17.61] (name of PIX) - STATE_MAIN_I1: initiate

[03/04/2003 08:56:27.61] (name of PIX) - !!!: handling event EVENT_RETRANSMIT for (ip address of PIX) "(name of PIX)" #3

[03/04/2003 08:56:47.61] (name of PIX) - !!!: handling event EVENT_RETRANSMIT for (ip address of PIX) "(name of PIX)" #3

[03/04/2003 08:57:27.61] (name of PIX) - !!!: handling event EVENT_RETRANSMIT for (ip address of PIX) "(name of PIX)" #3

[03/04/2003 08:57:27.61] (name of PIX) - !!!: max number of retransmissions (2) reached STATE_MAIN_I1

[03/04/2003 08:57:27.61] (name of PIX) - !!!: starting keying attempt 2d of at most 3d

[03/04/2003 08:57:27.61] (name of PIX) - Initiating IKE Main Mode

[03/04/2003 08:57:27.61] (name of PIX) - STATE_MAIN_I1: initiate

[03/04/2003 08:57:37.61] (name of PIX) - !!!: handling event EVENT_RETRANSMIT for (ip address of PIX) "(name of PIX)" #4

[03/04/2003 08:57:57.61] (name of PIX) - !!!: handling event EVENT_RETRANSMIT for (ip address of PIX) "(name of PIX)" #4

[03/04/2003 08:58:37.61] (name of PIX) - !!!: handling event EVENT_RETRANSMIT for (ip address of PIX) "(name of PIX)" #4

[03/04/2003 08:58:37.61] (name of PIX) - !!!: max number of retransmissions (2) reached STATE_MAIN_I1

[03/04/2003 08:58:37.61] (name of PIX) - !!!: starting keying attempt 3d of at most 3d

etc.

Regards,

Torben Grisell

zaahmed · ‎03-07-2003

Hi torben

pls do check if symantec is using g1 or g2 for phase I ? also in my experience , we can get more detailed info if we capture the pix logs in this scenario ,since symantec seems to be the initiator. what logs do you see in the pix when the symantec initiates the ipsec tunnell ? PIX will complain if the policies do not match, then you can change the policies to match for both phase I and phase II